Karen Scarfone's Publications and Blog

Here are links to my online publications and blog posts! Sign up to get a weekly email update when I release a new pub or blog post. 

SP 1800-34, Validating the Integrity of Computing Devices

Organizations are increasingly at risk of cyber supply chain compromise, whether intentional or unintentional. Cyber supply chain risks include counterfeiting, unauthorized production, tampering, theft, and insertion of unexpected software and hardware. Managing these risks requires ensuring the integrity of the cyber supply chain and its products and services. This project demonstrates how organizations can verify that the internal components of the computing devices they acquire, whether laptops or servers, are genuine and have not been tampered with. This solution relies on device vendors storing information within each device, and organizations using a combination of commercial off-the-shelf and open-source tools that work together to validate the stored information. This NIST Cybersecurity Practice Guide describes the work performed to build and test the full solution.

Top 5 vulnerability scanning tools for security teams

Vulnerability scanning tools enable organizations to search for and discover potential weaknesses within their environment. Such tools have changed since debuting about 30 years ago. In the beginning, there were two basic types of vulnerability scanners. One scanned the internal network to find hosts on the network, determine what network ports were open and potentially "fingerprint" each host by studying its network behavior to pinpoint its OS and OS version. The other type of vulnerability sc

Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps

DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full understanding and consideration of security. Also, most software today relies on one or more third-party components, yet organizations often have little or no visibility into and understanding of how these components are developed, integrated, deployed, and maintained, as well as the practices used to ensure the components’ security. To help improve the security of DevOps practices, the NCCoE is planning a DevSecOps project that will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. This project will apply these DevSecOps practices in proof-of-concept use case scenarios that will each be specific to a technology, programming language, and industry sector. Both closed source (proprietary) and open source technology will be used to demonstrate the use cases. This project will result in a freely available NIST Cybersecurity Practice Guide.

4 Things to Know About Passwordless Authentication

Everyone seems to agree that passwords and password management are a pain. Many universities have adopted multifactor authentication, but MFA still requires the use of passwords. Organizations adopting zero-trust security measures may want to look for something stronger. Passwordless authentication is MFA without a password. Instead, it uses biometric verification, cryptographic keys and other types of authentication factors frequently supported by existing devices. Companies such as Microsoft, Apple and Google already support these standards in their products and services. Here are four things university IT leaders should keep in mind when considering whether to adopt passwordless authentication.

How to Create a Higher Ed Incident Response Playbook

Most universities have incident response playbooks, but these plans are often taken for granted. With so many cybersecurity and technology issues to tackle, IT shops sometimes create incident response plans, then forget about them. That could be a big mistake. A university’s incident response playbook is the most important foundational document driving its incident response management activities. Outdated plans and plans that don’t reflect your current approach to incident handling can slow the detection of complex threats and data breaches, allowing preventable damage to occur and delaying the restoration of normal operations. Up-to-date, robust incident response plans also are often required to obtain cyber insurance. Whether you want to make sure your existing plan still meets your university’s needs or you’re looking to create a new incident response plan, here’s what you need to know about what it should contain and how it should be implemented.

Find Out Who and What Is Accessing Your Digital Assets

Ready or not, zero trust is coming to your agency soon. The Office of Management and Budget’s Memorandum M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” indicates that all federal agencies must “achieve specific zero trust security goals by the end of Fiscal Year 2024.” There are two foundational parts of zero trust. The first is knowing what data and other digital assets you have and where they are. The other is knowing who and what (e.g., cloud-based services) can access each of those assets.

How to Develop a Cybersecurity Strategy: Step-by-Step Guide

A cybersecurity strategy is a high-level plan for how your organization will secure its assets during the next three to five years. Obviously, because technology and cyber threats can both change unpredictably, you'll almost certainly have to update your strategy sooner than three years from now. A cybersecurity strategy isn't meant to be perfect; it's a strongly educated guess as to what you should do. Your strategy should evolve as your organization and the world around you evolve. The intend

Use shadow IT discovery to find unauthorized devices and apps

The acquisition and unauthorized use of hardware, software, services and media by users or groups within an organization is known as shadow IT -- and it's a rampant trend across companies. Shadow IT often occurs because people want to use the devices and apps they like and are comfortable with rather than the ones available from IT -- and they perceive the IT department as an obstacle or source of delay if they want to get preferred devices and apps approved. Unfortunately, IT departments can'
Load More